How To Send Sensitive, Secure Emails, Passwords, And Files Without Fear

So, here’s a common case: You need to share a password with someone, but if you just email it to them, it’s going to languish in their inbox and be exposed to any future hacker that might gain access to their account. Or perhaps you want to share a longer note, but don’t want to email it for the same reason: You don’t want the other side to have a permanent record of it, and you don’t want it to be intercepted by third parties. Finally, you might want to share a file securely, and be able to remove it once the other party (or parties) get it.

No matter your scenario, I’ve rounded up several solid ways to get your data across securely and privately. No single way provides perfect security (what is, really?), but they sure beat plain text notes.

Sharing Passwords and Text

The most important thing you can do after reading this post is to stop emailing passwords in plain text. Seriously – don’t do this, if you care even a little bit about the password in question. Some people send the password along with the service’s name (“My eBay password is …), which is just crazy. But even if you send the password on its own, in an email with no subject or other contextual info, a third party might still be able to infer what the password is for. After all, Gmail (for example) saves chat logs alongside messages – so if you had a Google Talk chat with someone discussing a password and he mentioned emailing it later, an attacker could quickly figure it out.

So, sending encrypted text or securely sharing files can be considered luxuries, but securely sharing passwords is really not.

Old School: Pre-Shared Transposition Cipher

In truth, you don’t need any software to maintain pretty solid security when emailing passwords. Take this, for example:

Let’s say this is a password I emailed you. Only it’s not really the password: I’ve shifted the letters around a little bit. You and I both know I shifted them, and how, because we’ve discussed it in advance in another medium (say, Skype or phone). But an attacker won’t know I’ve shifted anything, and won’t even suspect it, because passwords often aren’t words or sentences. So the attacker would try to use “maeflrfyt” to log into a website, and would fail and move on… because the text actually says something else. Can you guess what it says? You don’t need any software to figure it out, I promise. Take a moment and try.

Okay, I’ll tell you: It says “makeuseof.” But how does it say that? If you’ve been following my posts, you know I use an alternative keyboard layout called Colemak. So what I’ve done is type the word “makeuseof” using QWERTY key locations, but on a Colemak keyboard. For example, where “k” falls in QWERTY, it’s actually “e” in Colemak:

So, anyone who has a Colemak map can easily read this cipher – they just have to know that’s the method I used. Of course, you don’t need an alternative keyboard to use this simple system. Even if you and the other party just agree to shift each letter by two (so, “c” instead of “a”, “b” instead of “z”), your password will far, far more secure than if you email it in plaintext. I like this solution because it requires no third-party software – just a brain.

Without An Account: BurnNote

Okay, but what if you have something a bit longer to share? Say, a saucy email that can get you booted off your senior position in the CIA, or any other passage of text. For longer texts like this, a manual cipher becomes impractical – I wouldn’t expect anyone to slowly analyze a sentence letter by letter. But here’s another caveat: To be extra-secret, you don’t want to open an account anywhere. You don’t want to email your message or be linked to it in any other way. For this kind of work, Burn Note is ideal. This simple service lets you create password-protected notes that self-destroy once opened (the recipient has 180 seconds to read them by default), and can even be protected from copying. Creating a note looks like this:

Then, once you click Send, you get a short link:

The short link is nice, because it means you can even dictate it over the phone and don’t have to send the link itself in text if you don’t want to.

Then, when your recipient comes to view the message, Burn Note lets them know they have only a limited time to view it:

And my favorite part is viewing the message in Spyglass mode (which you, the sender, can specify):

Basically, your mouse cursor turns into a circle, and you move the circle over the window to reveal parts of the text. This seems gimmicky at first, but it’s actually brilliant: Not only does this prevent the recipient from copy/pasting the text, but they can’t even make a screenshot saving the message! Someone clearly put quite a bit of thought into this service, resulting in a truly secure and account-less way to share blocks of sensitive text.

With An Account: SafeGmail

Okay, so Burn Note is fantastic if you don’t want an account. But what if you don’t mind having an account, and are just looking for a way to quickly encrypt emails? If you use Gmail, you’re in luck: SafeGmail offers a simple and free solution. This free Chrome add-on plugs into the Gmail Web interface, adding an encryption checkbox to every message you compose:

You pick a question showed to your recipient, and specify the answer. Safegmail then encrypts your message using PGP, so it looks like this to your recipient:

In other words, just a block of code with a link (the algorithm used is very secure). When clicking through to the SafeGmail interface, the recipient is asked to answer the question you’ve posed:

And then paste in the encrypted email:

Once they do that and click Show My Mail, the message is revealed:

The biggest advantage here is how nicely encryption is integrated with Gmail. I wish decryption was integrated in the same way, but even so, this is a useful service if you routinely email encrypted information.

With A Paid Account: LastPass

Last but certainly not least, there’s the paid version of cloud-based password manager LastPass. The free version can be used to manage your own passwords, but LastPass Premium has a nice feature that lets you securely share passwords with other people. Nicer still, you don’t actually have to pay for LastPass Premium: We’re giving away 1-year LastPass Premium accounts over at MakeUseOf Rewards!

Sharing Files

Okay, so we’ve seen three different ways to share text – now let’s talk about transferring files. This is simpler, because file-sharing services are incredibly common these days.

Without An Account: Ge.tt

There are many services that let you upload files and share a link with others without opening an account, but sadly, most of them are pretty spammy-looking and full of ads and other nags. One notable exception is the clean, elegant and free Ge.tt:

Ge.tt couldn’t be simpler to use, really: Just drag and drop any file onto your browser window (assuming you’re using Chrome), and off it goes. You then get a nice short link to share, and can send it to anyone you wish to give the file to. You can then go back to the same link yourself (as long as you don’t delete your browser cookies or switch computers, of course), see how many people downloaded the file, and quickly remove it from the service. Easy, free, and oh so slick.

With An Account: Dropbox, Google Drive, Or SkyDrive

This is an obvious one, but deserves a mention: Probably the most secure way to share files with specific individuals is using Dropbox, Google Drive, or SkyDrive. Dropbox and Google Drive both have optional two-factor authentication, and if all parties involved switch it on and have strong passwords, the result is a very secure, private transfer medium.

Final Thoughts

Did this post make you re-think your password-sharing habits, or other ways to share information? Do you think Burn Note is useful, or is it just a gimmick? And did I miss a great way to privately share info? Let me know in the comments!

André Kamara

Erez Zukerman

Wow, this is really disappointing! :( Turns out Burn Note launched a new version (shown here) right after this post was written (three days before it was published).

Having to provide an email address to use the service is a real blow to privacy. How lame.

Erez Zukerman

December 9, 2012

Upon testing the service again, it turns out it doesn’t send a validation email, so you can provide any random address as your email — doesn’t have to be a real one (I tried bla@bla.com and it worked). so… not as good, but still okay I guess.

Kamran Hassan

December 9, 2012

Oh cool. Thanks for that little tip. I just visited Burn Note but was put off by their signup requirement (especially email). Good to know there’s a simple way to work around that.
Keep up the great work, btw! Cheers

Douglas Mutay

December 10, 2012

Yes!!!! That all we need I guess. As long as we don’t give our true email. As for me I have an email specially created for these kinds of website that require validation email and use it whenever I don’t want to receive spam or don’t want to give my true info. I have used it for Burn out and I didn’t even care if they had to send validation info… :-)

David Etter

December 12, 2012

I’ve used safe-mail.net for years to send/receive sensitive emails and files with others. They have a neat Safe Box systems which requires a pre-arranged pw, and you can limit the time which the file and email can be read by the recipient.

Dallas Smith

hotdoge3

December 27, 2012

Why use Comodo SecureEmail Certificates

Secure Certificates let you digitally sign emails to prove that the attachments and email content actually came from you. Secure Email Certificates allow you to easily encrypt your emails and ensure that the attachments and messages may only be read by the intended recipients. Digitally signing email with a digital Certificate means that it is impossible for anyone to edit the content of your mail without the recipient being alerted.